Security code auditor is not an entry level position. Also known as an IT auditor, security auditor, secure code auditor, or source code auditor, security analyst, information security analyst, professionals lucky enough to find themselves in this role are accomplished and highly valued members of any cybersecurity team. Security code auditors must be versed in computer programming, systems and network security, penetration testing, cryptography, and software security protocols.
Only cybersecurity professionals with a broad-based background in the field will be effective as security code auditors. In many cases, source code audits are performed by independent outside consultants hired periodically to review an organization’s security status. Organizations with substantial cybersecurity budgets are much more likely to hire a full-time security code auditor than those with a small information security staff.
Four steps to becoming a security code auditor
1. Education Security code auditor roles require a broad knowledge of computer science, networks, systems, and all things information security. A college education should be broad-based as well. Degrees in computer science or a cybersecurity-related field are recommended. Course work should include as broad a variety of cybersecurity disciplines as possible. Look to add to your college courses:
- penetration testing
- cybersecurity law
- computer forensics
- programming in several languages
- database security
- software engineering
And of course, as with any advanced cybersecurity career, making the investment in time and money to obtain a master’s degree can be well worth the effort.
2. Early career path As a security code auditor is not an entry-level position, the proper jobs used to break into the cybersecurity field will provide a strong foundation for a career. Good beginning infosec posts for leading to a career in security code auditor include:
- Security administrator
- Network administrator
- Digital forensics
- Vulnerability assessor
- Penetration tester
3. Professional certifications Employers are always looking for verifying evidence that a prospective candidate has learned all necessary aspects of the position being sought. In cybersecurity, probably the best way to accomplish this confirmation is through professional certifications. Several cybersecurity organizations and continuing education venues provide a host of certifications in most relevant infosec disciplines. Some of the certifications that should be sought by would-be or current security code auditors include the following:
- Certified Ethical Hacker (CEH) from EC-Council
- Certified Security Analyst (ECSA), also from EC-Council
- PenTest+ from CompTIA
- Certified Information Systems Auditor (CISA)
- GIAC Certified Intrusion Analyst (GCIA)
- Offensive Security Certified Professional (OSCP)
Also, look for other appropriate certifications offered by such cybersecurity education organizations as the following:
- ISFCE (International Society of Forensic Computer Examiners)
- IACIS (The International Association of Computer Investigative Specialists)
- CISSP (Certified Information Systems Security Professional)
- (ISC)2 (International Information Systems Security Certification Consortium)
4. Never stop learning Computer technology and cybersecurity techniques are forever evolving, sometimes at a breakneck pace. Keeping current on all that happens in all relevant aspects of security code auditing is essential to maintaining an edge and having a long successful career. Join professional trade associations, seek relevant continuing education opportunities, network with other code auditors, and attend seminars related to the field. Among trade associations, consider joining some or all of the following:
- The Scientific Working Group on Digital Evidence (SWGDE)
- Information Systems Audit and Control Association (ISACA)
- The International Society of Forensic Computer Examiners®
What is a security code auditor?
Code is the brains of all computer systems. If anything is wrong with the brain, the entire system becomes vulnerable to problems, errors, and especially incursion from outside sources wishing to create havoc, disrupt operations, or steal secure information. Security code auditors are the brain surgeons of computer systems. They analyze, diagnose and develop treatment plans for repairing any potentially problematic code vulnerabilities.
In order to evaluate the security of computer system code, source code auditors must be familiar and knowledgeable of all aspects of hardware, software and networks that comprise a complete system. The range of skills and experience required mean security code auditors are one of the most technically skilled members of any cybersecurity staff.
As the responsibility can be daunting for even the most experienced security auditors, analytical tools to assist taking on the job have been developed. There are numerous open-source and commercial source code analysis tools to help security code auditors uncover code vulnerabilities in hardware and software. These programs are also referred to as Static Application Security Testing (SAST) tools and can be invaluable aids.
Still, security code auditors must be able to sift through code line by line to uncover, determine the nature of, and develop a plan for the remedy of any problems.
Security code auditor skills and experience
In order to be able to thoroughly audit any organizations infosec status, a variety of knowledge and skills are required. Familiarity with penetration testing techniques, current cryptography protocols, network and systems security processes, software security vulnerabilities, and more must all be in the source code auditor’s bag of tricks. The list of required skills and experience in security code auditor job listings, therefore, are often numerous. Here is a sampling of some of the more common requirements.
- Knowledge of programming languages in C+, C++, Python, Ruby, Java, Perl, .NET
- Current familiarity with network and systems architecture, as well as security procedures and vulnerabilities
- Current familiarity with operating and applications software security techniques and vulnerabilities
- Knowledge of OWASP Top Ten vulnerabilities
- Familiarity with source code analysis tools, such as Bandit, Brakeman, .NET Security Guard, SonarQube, Application Inspector, Cast AIP and others
- Experience with penetration testing
- Familiarity with current encryption protocols and techniques
- Experience with database security
Soft skills often required by employers include the following:
- Highly analytical
- Strong written and oral communication skills
What do security code auditors do?
Information technology in any organization is a multi-faceted enterprise consisting of hardware systems, communications networks, and software programs, and all of the protocols, permissions, procedures, and policies that determine the use of IT systems.
Security code auditors are responsible for ensuring the security of all aspects of the IT systems they oversee. Fulfilling this responsibility requires planning, executing and analyzing the results of exhaustive audits of every nook and cranny.
This means being intimately familiar with programming codes used to write the programs running the systems, as well as all security procedures in place within the organization and the laws affecting cybersecurity methodology. It also means being familiar with current techniques and procedures in use by hackers and having an up-to-date understanding of the most commonly exploited system vulnerabilities.
In short, security code auditors must know every minute detail of every aspect of the IT systems in use by the organization paying the professional’s salary. Source code auditors must plan and execute the most effective and most thorough audits possible to persistently determine the effectiveness of all security systems in place. It’s primarily a preemptive strategy to close vulnerabilities before they are taken advantage of by hackers.
But security code auditors must also perform or assist in the performance of forensic examinations of attacks on the system, whether the attempts are failed or successful. The answers found after such attacks must then be reported on and utilized to further tighten system security measures. In a world with constantly changing and advancing technologies and hacking techniques, the job of a security code auditor is never completely done.
Security code auditor job description
Some of the most common security code auditor tasks are as follows:
- Plan, execute, and lead audits of organization infosec systems
- Conduct manual reviews of all relevant code on a line-by-line basis
- Utilize penetration testing techniques to locate cybersecurity vulnerabilities
- Utilize SAST tools to analyze code where possible
- Identify, analyze and recommend remedies to all cybersecurity vulnerabilities
- Maintain complete current knowledge of all system accessibility and permissions
- Communicate audit results and recommendations to all affected departments
Outlook for security code auditors
Cybersecurity professionals as a whole are in high demand, and in many cases, specific job titles are starving for viable candidates to fill the positions. According to InfoSec Institute, there is a worldwide shortage of nearly three million in the ranks of cybersecurity professionals, half a million in North America alone. The need for security code auditors is difficult to pin down due to the variety of titles used to describe the role, but it’s safe to say the demand is growing rapidly and should continue to do so for the foreseeable future.
How much do security code auditors make?
With the variety of titles, the propensity of many companies to hire independent consultants, and the fairly elite nature of the position, accurate salary information is somewhat elusive. Payscale.com calculates the average annual salary of IT Auditors as approximately $66,000, with compensation typically escalating steadily as experience is accumulated.